The present invention relates to methods for managing threats on systems and to managing countermeasures for mitigating the threats.
Threat analysis is an ongoing process whose aim is to mitigate the risk posed by different types of threats, reduce damages and ensure the continuity, availability and successful operation of systems. It involves assessment of potentially damageable assets, modeling threats and vulnerabilities and valuating risks and countermeasures. The progresses in computing and communications together with the globalization of economical and social processes has emphasized the need for proactively analyzing risks and constantly evolving assessment models of realist threats against systems. Optimally, threat models should be constructed from the very first steps of system planning, taken into consideration in advanced design stages and continuously maintained and updated through the whole life cycle of the system.
Threat modeling involves identifying the assets of the system that are at risk, identifying system vulnerabilities and weaknesses and discovering scenarios of threats that can take advantage of these vulnerabilities and damage the assets. The outcome of the process is a set of proposed countermeasures that might mitigate the threats that were identified. The prosperity of the system directly depends on the effectiveness of the efforts invested in protecting the system assets against the identified threats. Since the implementation of all of the proposed countermeasures is, in most cases, impractical due to limitations of budget, time and resources, the goal of a beneficial threat analysis process is to propose the set of the most cost-effective countermeasures against the identified threats.
The effectiveness of a countermeasure is measured by the overall mitigation it provides to the system risks in relation to the cost of implementing it. One can use the above measure of effectiveness of countermeasures in order to decide upon the priorities in implementing the countermeasures. The outcome is a realistic item list of actions to be taken in each stage of the system life cycle.
US Patent Applications 20030046128 is a computer-implemented method and system for assessing the overall risk in at least part of an information technology system includes inputting into a risk assessment database a plurality of identified risks in a system; associating the risks to at least one severity band in a risk echelon; assigning a value to each risk; multiplying each risk value by a coefficient factor; and summing the factored risk values to determine the overall risk. The method preferably includes modifying the security implementation of the information technology system and determining the modified overall risk. The system preferably includes an automated vulnerability detection scanner to gather risk information, which is stored on a database and used in calculating the overall risk.
US Patent Applications 20030182337 discloses a method, system and computer product for risk valuation. A computer assigns a risk to an object. The object has an object measure-value and the risk has at least one threat level. The computer receives a probability of the threat level. The probability refers to the object. The computer calculates the object measure-value by using the probability of the threat level and by using a deviation-value that corresponds to the threat level and relates to the object. The article “Paranoid Penguin: Practical Threat Analysis and Risk Management” published at http://www.linuxjournal.com/article.php?sid=5567 describes a risk valuation method in which for each vulnerability associated with each asset, the estimated cost of replacing or restoring that asset is calculated (its single loss expectancy) and then the vulnerability's expected annual rate of occurrence is estimated. The annual vulnerability loss expectancy may be calculated by multiplying these two factors.
Attack Trees as described in http://www.schneier.com/paper-attacktrees-ddj-ft.html provide a formal methodology for analyzing the security of systems and subsystems. They provide a way to think about security, to capture and reuse expertise about security, and to respond to changes in security. According to the suggested perspective security should be viewed as a process and attack trees form the basis of understanding that process.
The Threat Modeling Tool, as described in http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en allows users to create threat model documents for applications. It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and may export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.
As described above there are at present several methodologies and tools for assessing risks in various systems domains. These tools provide static lists of individual risks but do not give a true picture of the relative contribution of each threat to the overall risk combined with the cost-effectiveness of the proposed countermeasures. Other methodologies are based on creation of attack trees that provides a clearer understanding of the attack options from the opponent's point of view. Although these methodologies may be helpful in valuating probabilities of threats, they do not relate to the ranking of countermeasures by their effectiveness.
These methodologies and tools do not provide means for the creation of threat models where threats and countermeasures are classified according to a clear significance metrics, in order to facilitate a cost effective decision making process needed for protecting contemporary systems.
There is an obvious need for a practical threat analysis methodology and tools for maintaining a dynamic threats model and are capable of reacting to changes in system's assets and vulnerabilities by automatically recalculating threats and countermeasures priorities and providing decision makers with updated realistic action item lists that reflect the changes in threats realities. Countermeasure priorities should be expressed as a function of system asset values, degrees of damage, threat probabilities and degrees of mitigation provided by the proposed countermeasures to the threats.